Intel in Hot Water for Hiding Meltdown & Spectre Bugs from Government Officials

After concerns voiced by the US government officials, it appears Intel may have intentionally hid Meltdown and Spectre chip flaws from the government security officials. Letters sent by Alphabet, Microsoft, Intel, and other companies reveal that while Google had informed the chipmaker of the flaws a few months back, Intel or other companies never actually alerted the United States Computer Emergency Readiness Team (US-CERT), which is responsible for warning private companies and the public about security issues.

In its defense, Intel suggests it did not believe if the flaws would harm critical infrastructure.

In response to questions from Representative Greg Walden, chairman of the House Energy and Commerce Committee, Alphabet said in its letter that its Project Zero researchers informed Intel, AMD and ARM about these flaws in June, 2017. Giving its regular 90-days disclosure deadline, Google left the decision of informing the government officials to the companies themselves, which is its standard practice according to Reuters.

This disclosure deadline was extended twice, first to January 3 and then to January 9. However, the disclosure was forced when a media website published the details of the bugs before they were reported or fixed by the companies themselves.

Microsoft adds that it informed several AV makers weeks ahead of the public disclosure to give them time to avoid compatibility issues.

Unclear what AMD or ARM said but things don’t look good for Intel

Earlier reports suggesting that Intel informed Chinese companies before the US government raised some concerns in the country. Reuters reports that Intel’s letter suggests it did not inform the government officials because it had “no indication that any of these vulnerabilities had been exploited by malicious actors.”

Walden made Intel’s letter available to the public last night. One excerpt from it reads (PDF):

The United States Computer Emergency Readiness Team was first informed of the exploits through public disclosure on January 3, 2018. Intel promptly discussed this disclosure with US-CERT on that day and again two days later, on January 5, 2018.

The chipmaker adds that the company did not perform any analysis to see whether these security vulnerabilities would affect critical infrastructures since it didn’t believe if they could affect industrial control systems. While no one has appeared to informed the US-CERT ahead of the forced public disclosure, Intel said that it did inform other technology companies that use its chips of the security issues.

It isn’t immediately clear if AMD and ARM have responded to these questions and what was their argument to keep the government cybersecurity officials out of the picture.

“Cybersecurity is a collective responsibility,” Walden said. “My committee will continue to investigate this issue and the trade-offs between disclosure and secrecy in cybersecurity incidents.”